Skip to content

v1.4.0

Latest

Choose a tag to compare

@mmcdole mmcdole released this 11 Jul 00:22
ec8fd42

This release focuses on bug fixes for malformed and off-spec feeds. Illegal XML control characters, unusual date formats, incorrectly typed JSON Feed fields, and unescaped ampersands in URLs could previously break a parse or silently drop content. The parser now handles these cases without failing the feed or losing the affected content.

It also fixes a lazy-initialization data race when a default-configured Parser is reused across goroutines (#278). Three new options give callers more control over resource use: an HTTP response-size limit, optional retention of the original source feed, and a switch to disable RSS content-image scanning.

For RSS and Atom, the universal Parser.Parse method no longer holds two complete copies of the raw feed in memory during format detection. It examines the first 4 KiB, detects the format, and then parses directly from the reader. The returned Feed is still fully materialized, so this is not a streaming API. JSON Feed decoding still buffers the complete document.

Compatibility

  • Go 1.25 or newer is required. v1.4.0 updates golang.org/x/net from v0.4.0 to v0.56.0 to resolve 22 reachable vulnerabilities reported by govulncheck; that release and its golang.org/x/text dependency require Go 1.25.
  • ParseURL now applies a 30-second request timeout. ParseURLWithContext continues to use the caller's context.
  • Parse now examines only the first 4 KiB to detect the feed type. RSS and Atom roots must begin within that window. In v1.4.0, a JSON Feed whose complete document does not fit within the window is not detected by the universal Parser and returns ErrFeedTypeNotDetected.
  • The text returned by ErrFeedTypeNotDetected.Error() now begins with lowercase failed.
  • No exported v1 identifier was removed. Feed now has private storage for the original source feed, so external positional Feed{...} literals no longer compile; keyed literals are unaffected.

Added

  • Add Parser.MaxByteSize and ErrResponseTooLarge to limit response bodies fetched by ParseURL and ParseURLWithContext. (#286)
  • Add Parser.KeepOriginalFeed and Feed.OriginalFeed() for access to the parsed *rss.Feed, *atom.Feed, or *json.Feed. (#289)
  • Add DefaultRSSTranslator.DisableContentImageScan to skip the HTML image fallback on large feeds while preserving existing behavior by default. (#330)

Parsing and translation fixes

  • Fix a data race when the same default-configured Parser is reused across goroutines. (#278)
  • Limit universal-parser format detection to a 4 KiB lookahead, parse RSS and Atom directly from the reader without retaining two complete raw copies, and propagate reader I/O errors. (#327)
  • Preserve parse errors when closing an HTTP response also returns an error.
  • Tolerate non-HTTP URI schemes and resolve RSS and Atom xml:base values without mutating sibling scope. (#240, #283, #290)
  • Resolve every URI-bearing HTML attribute, including elements with multiple URI attributes. (#323)
  • Preserve ordinary Atom content that merely looks like base64 and trim whitespace-prefixed Atom links. (#238, #283)
  • Promote embedded Atom author, date, content, summary, and category elements from RSS into universal fields. (#292)
  • Correct RSS guid isPermaLink handling and replace the invalid itunes:subtitle feed-link fallback with atom:link. (#283, #322)
  • Handle illegal C0 XML controls, mixed CDATA content, namespace whitespace, <cloud> children, and non-content <encoded> elements without losing the feed. (#284, #295, #317, #318, #325)
  • Continue entity decoding after bare ampersands without corrupting query parameters that resemble legacy HTML entities. (#319, #321)
  • Correct named timezone offsets and additional date layouts. (#234, #282, #324)
  • Tolerate off-spec JSON Feed IDs, booleans, attachment sizes, and durations; use attachment byte size for Enclosure.Length; and reject out-of-range numeric sizes safely. (#279, #326)
  • Prevent sorting panics when items have nil parsed publication dates.

Dependencies and maintenance

  • Replace jsoniter with encoding/json. (#280)
  • Migrate to github.com/mmcdole/goxpp/v2 v2.0.0. (#329)
  • Replace goquery and cascadia with direct x/net/html traversal. (#330)
  • Upgrade golang.org/x/net and golang.org/x/text for security, and upgrade testify and urfave/cli.
  • Expand regression fixtures and consolidate parser and translator control flow. (#332, #333)
  • Add contributor guidance and test-fixture conventions. (#331)
  • Modernize GitHub Actions with stable/oldstable builds, race-enabled shuffled tests, Staticcheck, govulncheck, Codecov, and Dependabot; remove the defunct Travis configuration. (#297, #335)

Contributors

Contributions in this release came from @mmcdole, @TypicalAM, @oprudkyi, and @akfaew.

Full changelog: v1.3.0...v1.4.0